Users should be able to grant others access to their instance using OAuth2. This would make it easier for applications built on top of a popit database to get access to things which would normally require write access to an instance. Currently everypolitician is working around this by using CORS to explicitly whitelist that url, but this approach requires that all interactions be done on the client side.

Related to mysociety/popit-api#9